[02/10] libiberty: Fix a crash in d_encoding()

Message ID CY4PR22MB01026887C9C21D1CB090BBE9E7850@CY4PR22MB0102.namprd22.prod.outlook.com
State New
Headers show
Series
  • [01/10] libiberty: Fix an out of bounds read in d_expression_1()
Related show

Commit Message

Ben L Jan. 11, 2019, 12:14 a.m.
Hi all,

First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if
there's obvious errors repeated in my patches. AFAICT I should be sending each
change individually rather than as one bulk patch, so I'm sorry about the spam
too.

All of these changes were found by fuzzing libiberty's demanglers over the
past week, and I have at least one more that it's currently crashing out on
but I haven't had time to look into why yet.

Obviously since this is my first time emailing I don't have write access to
commit any of these, so if any are approved then I'd be grateful if you can
commit them too.

Thanks,
Ben

--

Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes
a crash due to d_right (dc) returning NULL inside d_encoding().

Check for this case and handle it as an error rather than crashing when trying
to dereference the right side's type.

     * cp-demangle.c (d_encoding): Guard against NULL return values from
     d_right (dc).
     * testsuite/demangle-expected: Add testcase.

Comments

Jeff Law April 30, 2019, 2:20 p.m. | #1
On 1/10/19 5:14 PM, Ben L wrote:
> Hi all,

> 

> First time emailing gcc-patches, so I'm sorry if I get any of this wrong or if

> there's obvious errors repeated in my patches. AFAICT I should be sending each

> change individually rather than as one bulk patch, so I'm sorry about the spam

> too.

> 

> All of these changes were found by fuzzing libiberty's demanglers over the

> past week, and I have at least one more that it's currently crashing out on

> but I haven't had time to look into why yet.

> 

> Obviously since this is my first time emailing I don't have write access to

> commit any of these, so if any are approved then I'd be grateful if you can

> commit them too.

> 

> Thanks,

> Ben

> 

> --

> 

> Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes

> a crash due to d_right (dc) returning NULL inside d_encoding().

> 

> Check for this case and handle it as an error rather than crashing when trying

> to dereference the right side's type.

> 

>      * cp-demangle.c (d_encoding): Guard against NULL return values from

>      d_right (dc).

>      * testsuite/demangle-expected: Add testcase.

> 

THanks.  I've installed this on the trunk.

Jeff

Patch

From 5102da933a72628e34b68402168e571b09c54581 Mon Sep 17 00:00:00 2001
From: bobsayshilol <bobsayshilol@live.co.uk>
Date: Wed, 9 Jan 2019 22:05:16 +0000
Subject: [PATCH 02/10] libiberty: Fix a crash in d_encoding().

Passing "_ZZaSFvOEES_" to cplus_demangle() without the DMGL_PARAMS flag causes
a crash due to d_right (dc) returning NULL inside d_encoding().

Check for this case and handle it as an error rather than crashing when trying
to dereference the right side's type.

    * cp-demangle.c (d_encoding): Guard against NULL return values from
    d_right (dc).
    * testsuite/demangle-expected: Add testcase.

diff --git a/libiberty/cp-demangle.c b/libiberty/cp-demangle.c
index dddd8f6..02b5f9e 100644
--- a/libiberty/cp-demangle.c
+++ b/libiberty/cp-demangle.c
@@ -1330,8 +1330,14 @@  d_encoding (struct d_info *di, int top_level)
 	     really apply here; this happens when parsing a class
 	     which is local to a function.  */
 	  if (dc->type == DEMANGLE_COMPONENT_LOCAL_NAME)
-	    while (is_fnqual_component_type (d_right (dc)->type))
-	      d_right (dc) = d_left (d_right (dc));
+	    {
+	      while (d_right (dc) != NULL
+		     && is_fnqual_component_type (d_right (dc)->type))
+		d_right (dc) = d_left (d_right (dc));
+
+	      if (d_right (dc) == NULL)
+		dc = NULL;
+	    }
 	}
       else
 	{
diff --git a/libiberty/testsuite/demangle-expected b/libiberty/testsuite/demangle-expected
index 328d51a..eb5264d 100644
--- a/libiberty/testsuite/demangle-expected
+++ b/libiberty/testsuite/demangle-expected
@@ -72,6 +72,11 @@  _Q8ccQ4M2e.
 
 _ZmmAtl
 _ZmmAtl
+# Could crash
+--no-params
+_ZZaSFvOEES_
+_ZZaSFvOEES_
+_ZZaSFvOEES_
 #
 # demangler/80513 Test for bogus characters after __thunk_
 
-- 
2.20.1